<!DOCTYPE html>
<html lang="en-US">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width,initial-scale=1">
    <title>web常见的攻击方式有哪些？如何防御？ | 前端档案</title>
    <meta name="generator" content="VuePress 1.8.2">
    <link rel="icon" href="/favicon.ico">
    <meta name="description" content="前端通关宝典">
    <meta name="theme-color" content="#3eaf7c">
    <meta name="apple-mobile-web-app-capable" content="yes">
    <meta name="apple-mobile-web-app-status-bar-style" content="black">
    
    <link rel="preload" href="/assets/css/0.styles.e02fc531.css" as="style"><link rel="preload" href="/assets/js/app.bf44e39b.js" as="script"><link rel="preload" href="/assets/js/2.db7a59af.js" as="script"><link rel="preload" href="/assets/js/39.f71e5e3d.js" as="script"><link rel="prefetch" href="/assets/js/10.3bbe2f24.js"><link rel="prefetch" href="/assets/js/100.43061c81.js"><link rel="prefetch" href="/assets/js/101.2e8a188c.js"><link rel="prefetch" href="/assets/js/102.3f4f14f0.js"><link rel="prefetch" href="/assets/js/103.5ed45f48.js"><link rel="prefetch" href="/assets/js/104.29ef9283.js"><link rel="prefetch" href="/assets/js/105.e4051d70.js"><link rel="prefetch" href="/assets/js/106.ec073f00.js"><link rel="prefetch" href="/assets/js/107.9b165150.js"><link rel="prefetch" href="/assets/js/108.c0031864.js"><link rel="prefetch" href="/assets/js/109.06bb75a7.js"><link rel="prefetch" href="/assets/js/11.402e3434.js"><link rel="prefetch" href="/assets/js/110.edc92528.js"><link rel="prefetch" href="/assets/js/111.e50e0cca.js"><link rel="prefetch" href="/assets/js/112.b0decdf4.js"><link rel="prefetch" href="/assets/js/113.f0801886.js"><link rel="prefetch" href="/assets/js/114.25ab8fa4.js"><link rel="prefetch" href="/assets/js/115.36fc62f3.js"><link rel="prefetch" href="/assets/js/116.8df9a6aa.js"><link rel="prefetch" href="/assets/js/117.1ec0fada.js"><link rel="prefetch" href="/assets/js/118.51c54869.js"><link rel="prefetch" href="/assets/js/119.d708669d.js"><link rel="prefetch" href="/assets/js/12.eba9a66a.js"><link rel="prefetch" href="/assets/js/120.a44efeea.js"><link rel="prefetch" href="/assets/js/121.581a4ae4.js"><link rel="prefetch" href="/assets/js/122.e54e19e1.js"><link rel="prefetch" href="/assets/js/123.62aa41d0.js"><link rel="prefetch" href="/assets/js/124.c51c6b7f.js"><link rel="prefetch" href="/assets/js/125.68055811.js"><link rel="prefetch" href="/assets/js/126.8b16d246.js"><link rel="prefetch" href="/assets/js/127.fc7608d6.js"><link rel="prefetch" href="/assets/js/128.0df431fc.js"><link rel="prefetch" href="/assets/js/129.77241cfd.js"><link rel="prefetch" href="/assets/js/13.a3e65817.js"><link rel="prefetch" href="/assets/js/130.2bf0b622.js"><link rel="prefetch" href="/assets/js/131.77da1093.js"><link rel="prefetch" href="/assets/js/132.c1ac84bc.js"><link rel="prefetch" href="/assets/js/133.001af559.js"><link rel="prefetch" href="/assets/js/134.98ff69db.js"><link rel="prefetch" href="/assets/js/135.b91963f4.js"><link rel="prefetch" href="/assets/js/136.e3df531a.js"><link rel="prefetch" href="/assets/js/137.157c5a5f.js"><link rel="prefetch" href="/assets/js/138.1d3a1791.js"><link rel="prefetch" href="/assets/js/139.9e17df54.js"><link rel="prefetch" href="/assets/js/14.bd9cc5f8.js"><link rel="prefetch" href="/assets/js/140.22839840.js"><link rel="prefetch" href="/assets/js/141.dbde614d.js"><link rel="prefetch" href="/assets/js/142.5a6858ba.js"><link rel="prefetch" href="/assets/js/143.e26d707c.js"><link rel="prefetch" href="/assets/js/144.5b1fbe13.js"><link rel="prefetch" href="/assets/js/145.09921e20.js"><link rel="prefetch" href="/assets/js/146.8ea606b7.js"><link rel="prefetch" href="/assets/js/147.41bda9d5.js"><link rel="prefetch" href="/assets/js/148.d89f18bc.js"><link rel="prefetch" href="/assets/js/149.16aa39c9.js"><link rel="prefetch" href="/assets/js/15.deb2f25a.js"><link rel="prefetch" href="/assets/js/150.07798494.js"><link rel="prefetch" href="/assets/js/151.6732ee94.js"><link rel="prefetch" href="/assets/js/152.c644167e.js"><link rel="prefetch" href="/assets/js/153.040f256b.js"><link rel="prefetch" href="/assets/js/154.1cec3035.js"><link rel="prefetch" href="/assets/js/155.a4b51a17.js"><link rel="prefetch" href="/assets/js/156.095b78e0.js"><link rel="prefetch" href="/assets/js/157.eb262a26.js"><link rel="prefetch" href="/assets/js/158.35756e8c.js"><link rel="prefetch" href="/assets/js/159.6ac43664.js"><link rel="prefetch" href="/assets/js/16.c7b17381.js"><link rel="prefetch" href="/assets/js/160.0a56c40c.js"><link rel="prefetch" href="/assets/js/161.8320b48a.js"><link rel="prefetch" href="/assets/js/162.09ba1172.js"><link rel="prefetch" href="/assets/js/163.f7fb82e8.js"><link rel="prefetch" href="/assets/js/164.ab9df42b.js"><link rel="prefetch" href="/assets/js/165.f012858f.js"><link rel="prefetch" href="/assets/js/166.b3f190e3.js"><link rel="prefetch" href="/assets/js/167.43b66e59.js"><link rel="prefetch" href="/assets/js/168.4eb162d3.js"><link rel="prefetch" href="/assets/js/169.0375d2cf.js"><link rel="prefetch" href="/assets/js/17.da61c942.js"><link rel="prefetch" href="/assets/js/170.90c9c235.js"><link rel="prefetch" href="/assets/js/171.672fc257.js"><link rel="prefetch" href="/assets/js/172.dfa9d8d9.js"><link rel="prefetch" href="/assets/js/173.61a6ec8e.js"><link rel="prefetch" href="/assets/js/174.4f4ef0d7.js"><link rel="prefetch" href="/assets/js/175.675d01d1.js"><link rel="prefetch" href="/assets/js/176.5bd1bcb7.js"><link rel="prefetch" href="/assets/js/177.4355dadd.js"><link rel="prefetch" href="/assets/js/178.79ed29b8.js"><link rel="prefetch" href="/assets/js/179.2247dc30.js"><link rel="prefetch" href="/assets/js/18.6e554767.js"><link rel="prefetch" href="/assets/js/180.db79361a.js"><link rel="prefetch" href="/assets/js/181.85a33295.js"><link rel="prefetch" href="/assets/js/182.0bc317bc.js"><link rel="prefetch" href="/assets/js/183.7769a38e.js"><link rel="prefetch" href="/assets/js/184.9b0aba05.js"><link rel="prefetch" href="/assets/js/185.f6dc87bd.js"><link rel="prefetch" href="/assets/js/186.e3b7de00.js"><link rel="prefetch" href="/assets/js/187.a6dadcea.js"><link rel="prefetch" href="/assets/js/188.d3f8b0e3.js"><link rel="prefetch" href="/assets/js/189.1112499f.js"><link rel="prefetch" href="/assets/js/19.f800e0d1.js"><link rel="prefetch" href="/assets/js/190.e3255e84.js"><link rel="prefetch" href="/assets/js/191.34deece6.js"><link rel="prefetch" href="/assets/js/192.69821c0e.js"><link rel="prefetch" href="/assets/js/193.769a5088.js"><link rel="prefetch" href="/assets/js/194.afaa2cde.js"><link rel="prefetch" href="/assets/js/195.5b94bbc6.js"><link rel="prefetch" href="/assets/js/196.3b078264.js"><link rel="prefetch" href="/assets/js/197.2d9585d3.js"><link rel="prefetch" href="/assets/js/198.3095d8b8.js"><link rel="prefetch" href="/assets/js/199.79b6db11.js"><link rel="prefetch" href="/assets/js/20.4a74a968.js"><link rel="prefetch" href="/assets/js/200.c309ef7a.js"><link rel="prefetch" href="/assets/js/201.bded46e8.js"><link rel="prefetch" href="/assets/js/202.801fb3ea.js"><link rel="prefetch" href="/assets/js/203.b9933f5e.js"><link rel="prefetch" href="/assets/js/204.255b43df.js"><link rel="prefetch" href="/assets/js/205.000fb7ac.js"><link rel="prefetch" href="/assets/js/206.8f945829.js"><link rel="prefetch" href="/assets/js/207.74942b2e.js"><link rel="prefetch" href="/assets/js/208.329d8230.js"><link rel="prefetch" href="/assets/js/209.3fc54586.js"><link rel="prefetch" href="/assets/js/21.5f725cbd.js"><link rel="prefetch" href="/assets/js/210.1aa9659f.js"><link rel="prefetch" href="/assets/js/211.702df03f.js"><link rel="prefetch" href="/assets/js/212.ca95f208.js"><link rel="prefetch" href="/assets/js/213.024b4fa6.js"><link rel="prefetch" href="/assets/js/214.e2830dd8.js"><link rel="prefetch" href="/assets/js/215.0b646cb4.js"><link rel="prefetch" href="/assets/js/216.9bd6d019.js"><link rel="prefetch" href="/assets/js/217.586593b4.js"><link rel="prefetch" href="/assets/js/218.a2244829.js"><link rel="prefetch" href="/assets/js/219.1d858220.js"><link rel="prefetch" href="/assets/js/22.7d2b7a74.js"><link rel="prefetch" href="/assets/js/220.7f5e3dbd.js"><link rel="prefetch" href="/assets/js/221.d1f79d31.js"><link rel="prefetch" href="/assets/js/222.51d8a12c.js"><link rel="prefetch" href="/assets/js/223.797028ea.js"><link rel="prefetch" href="/assets/js/224.d925bf8b.js"><link rel="prefetch" href="/assets/js/225.cfe12606.js"><link rel="prefetch" href="/assets/js/226.b6bd41b4.js"><link rel="prefetch" href="/assets/js/227.15412d16.js"><link rel="prefetch" href="/assets/js/228.66af5157.js"><link rel="prefetch" href="/assets/js/229.cfb11559.js"><link rel="prefetch" href="/assets/js/23.1409c9f4.js"><link rel="prefetch" href="/assets/js/230.d2e613b5.js"><link rel="prefetch" href="/assets/js/231.85b8958b.js"><link rel="prefetch" href="/assets/js/232.42df48c8.js"><link rel="prefetch" href="/assets/js/233.d3be0c78.js"><link rel="prefetch" href="/assets/js/234.bb68d0be.js"><link rel="prefetch" href="/assets/js/235.bfd00052.js"><link rel="prefetch" href="/assets/js/236.3d58cc9d.js"><link rel="prefetch" href="/assets/js/237.d9af6062.js"><link rel="prefetch" href="/assets/js/238.54894974.js"><link rel="prefetch" href="/assets/js/239.b69669d0.js"><link rel="prefetch" href="/assets/js/24.e06b2b32.js"><link rel="prefetch" href="/assets/js/240.44f7b333.js"><link rel="prefetch" href="/assets/js/241.2d307b1a.js"><link rel="prefetch" href="/assets/js/242.47aecf42.js"><link rel="prefetch" href="/assets/js/243.b5afbb6e.js"><link rel="prefetch" href="/assets/js/244.8e04094f.js"><link rel="prefetch" href="/assets/js/245.78009475.js"><link rel="prefetch" href="/assets/js/246.eb7991c2.js"><link rel="prefetch" href="/assets/js/247.00c024fd.js"><link rel="prefetch" href="/assets/js/248.144c2842.js"><link rel="prefetch" href="/assets/js/249.35bae652.js"><link rel="prefetch" href="/assets/js/25.5e7aeaa8.js"><link rel="prefetch" href="/assets/js/250.854bde18.js"><link rel="prefetch" href="/assets/js/251.7cbb77f8.js"><link rel="prefetch" href="/assets/js/252.1ed96448.js"><link rel="prefetch" href="/assets/js/253.9d736b7d.js"><link rel="prefetch" href="/assets/js/254.137c6595.js"><link rel="prefetch" href="/assets/js/255.ac6865dc.js"><link rel="prefetch" href="/assets/js/256.055e06fd.js"><link rel="prefetch" href="/assets/js/257.63559614.js"><link rel="prefetch" href="/assets/js/258.b6958ba1.js"><link rel="prefetch" href="/assets/js/259.bc6da491.js"><link rel="prefetch" href="/assets/js/26.77d42111.js"><link rel="prefetch" href="/assets/js/260.a8e9559d.js"><link rel="prefetch" href="/assets/js/261.b051c6dd.js"><link rel="prefetch" href="/assets/js/262.e83c7ca8.js"><link rel="prefetch" href="/assets/js/263.bd14a165.js"><link rel="prefetch" href="/assets/js/264.65c3b624.js"><link rel="prefetch" href="/assets/js/265.db4371b9.js"><link rel="prefetch" href="/assets/js/266.97118d6c.js"><link rel="prefetch" href="/assets/js/267.de83cb0b.js"><link rel="prefetch" href="/assets/js/268.2bdd86cb.js"><link rel="prefetch" href="/assets/js/269.9c9a802f.js"><link rel="prefetch" href="/assets/js/27.fa37605f.js"><link rel="prefetch" href="/assets/js/270.f599f9fe.js"><link rel="prefetch" href="/assets/js/271.275d4619.js"><link rel="prefetch" href="/assets/js/272.ed0fabf6.js"><link rel="prefetch" href="/assets/js/273.fc279fbe.js"><link rel="prefetch" href="/assets/js/274.fe4b3d21.js"><link rel="prefetch" href="/assets/js/275.922677e1.js"><link rel="prefetch" href="/assets/js/276.597ceb81.js"><link rel="prefetch" href="/assets/js/277.71871d2e.js"><link rel="prefetch" href="/assets/js/278.10923657.js"><link rel="prefetch" href="/assets/js/279.cddbf2d7.js"><link rel="prefetch" href="/assets/js/28.7418a003.js"><link rel="prefetch" href="/assets/js/280.66542c64.js"><link rel="prefetch" href="/assets/js/281.c7ca5292.js"><link rel="prefetch" href="/assets/js/282.d105ef08.js"><link rel="prefetch" href="/assets/js/283.ae8d69c7.js"><link rel="prefetch" href="/assets/js/284.8763c337.js"><link rel="prefetch" href="/assets/js/285.cce4e007.js"><link rel="prefetch" href="/assets/js/29.42b5bf54.js"><link rel="prefetch" href="/assets/js/3.a2af090e.js"><link rel="prefetch" href="/assets/js/30.7fe0ece5.js"><link rel="prefetch" href="/assets/js/31.e05d012e.js"><link rel="prefetch" href="/assets/js/32.0a6466c6.js"><link rel="prefetch" href="/assets/js/33.8db270b1.js"><link rel="prefetch" href="/assets/js/34.c6e6ae70.js"><link rel="prefetch" href="/assets/js/35.8fc12d56.js"><link rel="prefetch" href="/assets/js/36.cb54baf3.js"><link rel="prefetch" href="/assets/js/37.656cb8eb.js"><link rel="prefetch" href="/assets/js/38.9152ff6b.js"><link rel="prefetch" href="/assets/js/4.02de3c47.js"><link rel="prefetch" href="/assets/js/40.3d664ab4.js"><link rel="prefetch" href="/assets/js/41.fc6e4f78.js"><link rel="prefetch" href="/assets/js/42.c17c3353.js"><link rel="prefetch" href="/assets/js/43.e78a329f.js"><link rel="prefetch" href="/assets/js/44.326a0948.js"><link rel="prefetch" href="/assets/js/45.67e6e1d4.js"><link rel="prefetch" href="/assets/js/46.85f71b1e.js"><link rel="prefetch" href="/assets/js/47.f2e524a6.js"><link rel="prefetch" href="/assets/js/48.843108ee.js"><link rel="prefetch" href="/assets/js/49.98713c95.js"><link rel="prefetch" href="/assets/js/5.f38c3daa.js"><link rel="prefetch" href="/assets/js/50.2c70898f.js"><link rel="prefetch" href="/assets/js/51.023fea5d.js"><link rel="prefetch" href="/assets/js/52.3877af4c.js"><link rel="prefetch" href="/assets/js/53.3938d117.js"><link rel="prefetch" href="/assets/js/54.4cf45721.js"><link rel="prefetch" href="/assets/js/55.6894de94.js"><link rel="prefetch" href="/assets/js/56.48fd0f63.js"><link rel="prefetch" href="/assets/js/57.2c3b8155.js"><link rel="prefetch" href="/assets/js/58.fee976b4.js"><link rel="prefetch" href="/assets/js/59.d57c3ac9.js"><link rel="prefetch" href="/assets/js/6.a7d50f34.js"><link rel="prefetch" href="/assets/js/60.9954df49.js"><link rel="prefetch" href="/assets/js/61.1b870f60.js"><link rel="prefetch" href="/assets/js/62.37537ac3.js"><link rel="prefetch" href="/assets/js/63.5e7cfac8.js"><link rel="prefetch" href="/assets/js/64.407003ca.js"><link rel="prefetch" href="/assets/js/65.ba6c5d7d.js"><link rel="prefetch" href="/assets/js/66.2b5a751b.js"><link rel="prefetch" href="/assets/js/67.2faf15d0.js"><link rel="prefetch" href="/assets/js/68.19e50dcb.js"><link rel="prefetch" href="/assets/js/69.eec003cb.js"><link rel="prefetch" href="/assets/js/7.6c196c91.js"><link rel="prefetch" href="/assets/js/70.98d2461a.js"><link rel="prefetch" href="/assets/js/71.184225a4.js"><link rel="prefetch" href="/assets/js/72.956d136a.js"><link rel="prefetch" href="/assets/js/73.3e68378e.js"><link rel="prefetch" href="/assets/js/74.cec669e7.js"><link rel="prefetch" href="/assets/js/75.d418b5f0.js"><link rel="prefetch" href="/assets/js/76.f3f9ccd6.js"><link rel="prefetch" href="/assets/js/77.f24df03b.js"><link rel="prefetch" href="/assets/js/78.7eee67a8.js"><link rel="prefetch" href="/assets/js/79.8fadb3f7.js"><link rel="prefetch" href="/assets/js/8.b7eb2fb2.js"><link rel="prefetch" href="/assets/js/80.4f6165b0.js"><link rel="prefetch" href="/assets/js/81.49b03807.js"><link rel="prefetch" href="/assets/js/82.7ea07224.js"><link rel="prefetch" href="/assets/js/83.d6bd71b7.js"><link rel="prefetch" href="/assets/js/84.26db1aa8.js"><link rel="prefetch" href="/assets/js/85.c8f1f3bb.js"><link rel="prefetch" href="/assets/js/86.fd1c3c7f.js"><link rel="prefetch" href="/assets/js/87.38ab6ed9.js"><link rel="prefetch" href="/assets/js/88.f0a874e0.js"><link rel="prefetch" href="/assets/js/89.2b3352d4.js"><link rel="prefetch" href="/assets/js/9.d7ae4925.js"><link rel="prefetch" href="/assets/js/90.286cc7d4.js"><link rel="prefetch" href="/assets/js/91.c17c366b.js"><link rel="prefetch" href="/assets/js/92.29bc2389.js"><link rel="prefetch" href="/assets/js/93.6d335097.js"><link rel="prefetch" href="/assets/js/94.89ab26c7.js"><link rel="prefetch" href="/assets/js/95.f2493183.js"><link rel="prefetch" href="/assets/js/96.6662ec36.js"><link rel="prefetch" href="/assets/js/97.22c9d3f9.js"><link rel="prefetch" href="/assets/js/98.0b0b77a2.js"><link rel="prefetch" href="/assets/js/99.df5f5981.js">
    <link rel="stylesheet" href="/assets/css/0.styles.e02fc531.css">
  </head>
  <body>
    <div id="app" data-server-rendered="true"><div class="theme-container"><header class="navbar"><div class="sidebar-button"><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" role="img" viewBox="0 0 448 512" class="icon"><path fill="currentColor" d="M436 124H12c-6.627 0-12-5.373-12-12V80c0-6.627 5.373-12 12-12h424c6.627 0 12 5.373 12 12v32c0 6.627-5.373 12-12 12zm0 160H12c-6.627 0-12-5.373-12-12v-32c0-6.627 5.373-12 12-12h424c6.627 0 12 5.373 12 12v32c0 6.627-5.373 12-12 12zm0 160H12c-6.627 0-12-5.373-12-12v-32c0-6.627 5.373-12 12-12h424c6.627 0 12 5.373 12 12v32c0 6.627-5.373 12-12 12z"></path></svg></div> <a href="/" class="home-link router-link-active"><img src="/images/logo.png" alt="前端档案" class="logo"> <span class="site-name can-hide">前端档案</span></a> <div class="links"><div class="search-box"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div> <nav class="nav-links can-hide"><div class="nav-item"><a href="/guide/" class="nav-link">
  指南
</a></div><div class="nav-item"><a href="/fe/" class="nav-link">
  前端
</a></div><div class="nav-item"><a href="/be/" class="nav-link">
  后端
</a></div><div class="nav-item"><a href="/base/" class="nav-link router-link-active">
  基础
</a></div><div class="nav-item"><a href="/tools/" class="nav-link">
  工具
</a></div><div class="nav-item"><a href="/resume/" class="nav-link">
  简历
</a></div><div class="nav-item"><a href="/experience/" class="nav-link">
  面经
</a></div><div class="nav-item"><a href="/technology/" class="nav-link">
  八股文
</a></div><div class="nav-item"><a href="/thinks/" class="nav-link">
  思考
</a></div> <!----></nav></div></header> <div class="sidebar-mask"></div> <aside class="sidebar"><nav class="nav-links"><div class="nav-item"><a href="/guide/" class="nav-link">
  指南
</a></div><div class="nav-item"><a href="/fe/" class="nav-link">
  前端
</a></div><div class="nav-item"><a href="/be/" class="nav-link">
  后端
</a></div><div class="nav-item"><a href="/base/" class="nav-link router-link-active">
  基础
</a></div><div class="nav-item"><a href="/tools/" class="nav-link">
  工具
</a></div><div class="nav-item"><a href="/resume/" class="nav-link">
  简历
</a></div><div class="nav-item"><a href="/experience/" class="nav-link">
  面经
</a></div><div class="nav-item"><a href="/technology/" class="nav-link">
  八股文
</a></div><div class="nav-item"><a href="/thinks/" class="nav-link">
  思考
</a></div> <!----></nav>  <ul class="sidebar-links"><li><a href="/base/" aria-current="page" class="sidebar-link">计算机基础</a></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>算法</span> <span class="arrow right"></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading open"><span>HTTP</span> <span class="arrow down"></span></p> <ul class="sidebar-links sidebar-group-items"><li><a href="/base/http/" aria-current="page" class="sidebar-link">HTTP</a></li><li><a href="/base/http/after_url.html" class="sidebar-link">输入 URL 后</a></li><li><a href="/base/http/handshakes_waves.html" class="sidebar-link">三次握手和四次挥手</a></li><li><a href="/base/http/status.html" class="sidebar-link">面试官：说说HTTP 常见的状态码有哪些，适用场景？</a></li><li><a href="/base/http/cross_domain.html" class="sidebar-link">跨域</a></li><li><a href="/base/http/1.0_1.1_2.0.html" class="sidebar-link">面试官：说说 HTTP1.0/1.1/2.0 的区别?</a></li><li><a href="/base/http/security.html" aria-current="page" class="active sidebar-link">web常见的攻击方式有哪些？如何防御？</a><ul class="sidebar-sub-headers"><li class="sidebar-sub-header"><a href="/base/http/security.html#xss-和-csrf-背诵" class="sidebar-link">XSS 和 CSRF 背诵</a></li><li class="sidebar-sub-header"><a href="/base/http/security.html#一、是什么" class="sidebar-link">一、是什么</a></li><li class="sidebar-sub-header"><a href="/base/http/security.html#二、xss" class="sidebar-link">二、XSS</a></li><li class="sidebar-sub-header"><a href="/base/http/security.html#三、csrf" class="sidebar-link">三、CSRF</a></li><li class="sidebar-sub-header"><a href="/base/http/security.html#四、sql注入" class="sidebar-link">四、SQL注入</a></li><li class="sidebar-sub-header"><a href="/base/http/security.html#参考文献" class="sidebar-link">参考文献</a></li></ul></li><li><a href="/base/http/HTTPS.html" class="sidebar-link">面试官：为什么说HTTPS比HTTP安全? HTTPS是如何保证安全的？</a></li><li><a href="/base/http/WebSocket.html" class="sidebar-link">面试官：说说对WebSocket的理解？应用场景？</a></li><li><a href="/base/http/UDP_TCP.html" class="sidebar-link">UDP、TCP区别</a></li><li><a href="/base/http/OSI.html" class="sidebar-link">面试官：如何理解OSI七层模型?</a></li><li><a href="/base/http/TCP_IP.html" class="sidebar-link">面试官：如何理解TCP/IP协议?</a></li><li><a href="/base/http/DNS.html" class="sidebar-link">面试官：DNS协议 是什么？说说DNS 完整的查询过程?</a></li><li><a href="/base/http/CDN.html" class="sidebar-link">面试官：如何理解CDN？说说实现原理？</a></li><li><a href="/base/http/GET_POST.html" class="sidebar-link">面试官：说一下 GET 和 POST 的区别？</a></li><li><a href="/base/http/headers.html" class="sidebar-link">面试官：说说 HTTP 常见的请求头有哪些? 作用？</a></li></ul></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>Linux</span> <span class="arrow right"></span></p> <!----></section></li></ul> </aside> <main class="page"> <div class="theme-default-content content__default"><h1 id="web常见的攻击方式有哪些-如何防御"><a href="#web常见的攻击方式有哪些-如何防御" class="header-anchor">#</a> web常见的攻击方式有哪些？如何防御？</h1> <p><img src="https://static.vue-js.com/d0892930-8d1d-11eb-ab90-d9ae814b240d.png" alt="security"></p> <h2 id="xss-和-csrf-背诵"><a href="#xss-和-csrf-背诵" class="header-anchor">#</a> XSS 和 CSRF 背诵</h2> <h3 id="xss"><a href="#xss" class="header-anchor">#</a> XSS</h3> <ul><li>Cross Site Scripting: 跨站脚本攻击</li> <li>在网站上注入恶意的客户端代码</li> <li>攻击浏览器，篡改浏览器正常展示，窃取用户信息</li> <li>反射型（非持久型）、存储型（持久性）、基于 DOM
<ul><li>反射型：请求 url(被注入恶意脚本)，服务器解析，导致返回了用户密码等隐私信息</li> <li>储存型：恶意脚本长期存在服务器端，比如需要权限的内容，变成了所有用户都能看到</li> <li>基于 DOM：服务器往浏览器发送的时候被注入，修改你的页面展示（没太懂）</li></ul></li> <li>防御
<ul><li>输入过滤</li> <li>输出转义</li> <li>加请求头 HttpOnly Cookie</li></ul></li></ul> <h3 id="csrf"><a href="#csrf" class="header-anchor">#</a> CSRF</h3> <ul><li>名词解释：Cross-site request forgery: 跨站请求伪造</li> <li>攻击原理：诱导用户点击不安全的链接，导致把你的 cookie （必须是登录过A，下发cookie）带过去，然后伪造成你去访问 A</li> <li>防御措施：主要在服务器端
<ul><li>Token 验证（主流方式）</li> <li>Referer 验证：服务器中验证请求头 refer 字段（查出来源）</li> <li>加验证码（成本大，每个接口都加）</li> <li>隐藏令牌</li></ul></li></ul> <p>XSS（跨域脚本攻击）：</p> <ul><li>攻击原理：<a href="http://www.imooc.com/learn/812" target="_blank" rel="noopener noreferrer">http://www.imooc.com/learn/812<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></li> <li>防御措施：<a href="http://www.imooc.com/learn/812" target="_blank" rel="noopener noreferrer">http://www.imooc.com/learn/812<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></li></ul> <h2 id="一、是什么"><a href="#一、是什么" class="header-anchor">#</a> 一、是什么</h2> <p>Web攻击（WebAttack）是针对用户上网行为或网站服务器等设备进行攻击的行为</p> <p>如植入恶意代码，修改网站权限，获取网站用户隐私信息等等</p> <p>Web应用程序的安全性是任何基于Web业务的重要组成部分</p> <p>确保Web应用程序安全十分重要，即使是代码中很小的 bug 也有可能导致隐私信息被泄露</p> <p>站点安全就是为保护站点不受未授权的访问、使用、修改和破坏而采取的行为或实践</p> <p>我们常见的Web攻击方式有</p> <ul><li>XSS (Cross Site Scripting) 跨站脚本攻击</li> <li>CSRF（Cross-site request forgery）跨站请求伪造</li> <li>SQL注入攻击</li></ul> <h2 id="二、xss"><a href="#二、xss" class="header-anchor">#</a> 二、XSS</h2> <p>XSS，跨站脚本攻击，允许攻击者将恶意代码植入到提供给其它用户使用的页面中</p> <p><code>XSS</code>涉及到三方，即攻击者、客户端与<code>Web</code>应用</p> <p><code>XSS</code>的攻击目标是为了盗取存储在客户端的<code>cookie</code>或者其他网站用于识别客户端身份的敏感信息。一旦获取到合法用户的信息后，攻击者甚至可以假冒合法用户与网站进行交互</p> <p>举个例子：</p> <p>一个搜索页面，根据<code>url</code>参数决定关键词的内容</p> <div class="language-html extra-class"><pre class="language-html"><code><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>input</span> <span class="token attr-name">type</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">&quot;</span>text<span class="token punctuation">&quot;</span></span> <span class="token attr-name">value</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">&quot;</span>&lt;%= getParameter(<span class="token punctuation">&quot;</span></span><span class="token attr-name">keyword&quot;)</span> <span class="token attr-name">%</span><span class="token punctuation">&gt;</span></span>&quot;&gt;
<span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>button</span><span class="token punctuation">&gt;</span></span>搜索<span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>button</span><span class="token punctuation">&gt;</span></span>
<span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>div</span><span class="token punctuation">&gt;</span></span>
  您搜索的关键词是：&lt;%= getParameter(&quot;keyword&quot;) %&gt;
<span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>div</span><span class="token punctuation">&gt;</span></span>
</code></pre></div><p>这里看似并没有问题，但是如果不按套路出牌呢？</p> <p>用户输入<code>&quot;&gt;&lt;script&gt;alert('XSS');&lt;/script&gt;</code>，拼接到 HTML 中返回给浏览器。形成了如下的 HTML：</p> <div class="language-html extra-class"><pre class="language-html"><code><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>input</span> <span class="token attr-name">type</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">&quot;</span>text<span class="token punctuation">&quot;</span></span> <span class="token attr-name">value</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">&quot;</span><span class="token punctuation">&quot;</span></span><span class="token punctuation">&gt;</span></span><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>script</span><span class="token punctuation">&gt;</span></span><span class="token script"><span class="token language-javascript"><span class="token function">alert</span><span class="token punctuation">(</span><span class="token string">'XSS'</span><span class="token punctuation">)</span><span class="token punctuation">;</span></span></span><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>script</span><span class="token punctuation">&gt;</span></span>&quot;&gt;
<span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>button</span><span class="token punctuation">&gt;</span></span>搜索<span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>button</span><span class="token punctuation">&gt;</span></span>
<span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>div</span><span class="token punctuation">&gt;</span></span>
  您搜索的关键词是：&quot;&gt;<span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>script</span><span class="token punctuation">&gt;</span></span><span class="token script"><span class="token language-javascript"><span class="token function">alert</span><span class="token punctuation">(</span><span class="token string">'XSS'</span><span class="token punctuation">)</span><span class="token punctuation">;</span></span></span><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>script</span><span class="token punctuation">&gt;</span></span>
<span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>div</span><span class="token punctuation">&gt;</span></span>
</code></pre></div><p>浏览器无法分辨出 <code>&lt;script&gt;alert('XSS');&lt;/script&gt;</code> 是恶意代码，因而将其执行，试想一下，如果是获取<code>cookie</code>发送对黑客服务器呢？</p> <p>根据攻击的来源，<code>XSS</code>攻击可以分成：</p> <ul><li>存储型</li> <li>反射型</li> <li>DOM 型</li></ul> <h3 id="存储型"><a href="#存储型" class="header-anchor">#</a> 存储型</h3> <p>存储型 XSS 的攻击步骤：</p> <ol><li>攻击者将恶意代码提交到目标网站的数据库中</li> <li>用户打开目标网站时，网站服务端将恶意代码从数据库取出，拼接在 HTML 中返回给浏览器</li> <li>用户浏览器接收到响应后解析执行，混在其中的恶意代码也被执行</li> <li>恶意代码窃取用户数据并发送到攻击者的网站，或者冒充用户的行为，调用目标网站接口执行攻击者指定的操作</li></ol> <p>这种攻击常见于带有用户保存数据的网站功能，如论坛发帖、商品评论、用户私信等</p> <h3 id="反射型-xss"><a href="#反射型-xss" class="header-anchor">#</a> 反射型 XSS</h3> <p>反射型 XSS 的攻击步骤：</p> <ol><li>攻击者构造出特殊的 URL，其中包含恶意代码</li> <li>用户打开带有恶意代码的 URL 时，网站服务端将恶意代码从 URL 中取出，拼接在 HTML 中返回给浏览器</li> <li>用户浏览器接收到响应后解析执行，混在其中的恶意代码也被执行</li> <li>恶意代码窃取用户数据并发送到攻击者的网站，或者冒充用户的行为，调用目标网站接口执行攻击者指定的操作</li></ol> <p>反射型 XSS 跟存储型 XSS 的区别是：存储型 XSS 的恶意代码存在数据库里，反射型 XSS 的恶意代码存在 URL 里。</p> <p>反射型 XSS 漏洞常见于通过 URL 传递参数的功能，如网站搜索、跳转等。</p> <p>由于需要用户主动打开恶意的 URL 才能生效，攻击者往往会结合多种手段诱导用户点击。</p> <p>POST 的内容也可以触发反射型 XSS，只不过其触发条件比较苛刻（需要构造表单提交页面，并引导用户点击），所以非常少见</p> <h3 id="dom-型-xss"><a href="#dom-型-xss" class="header-anchor">#</a> DOM 型 XSS</h3> <p>DOM 型 XSS 的攻击步骤：</p> <ol><li>攻击者构造出特殊的 URL，其中包含恶意代码</li> <li>用户打开带有恶意代码的 URL</li> <li>用户浏览器接收到响应后解析执行，前端 JavaScript 取出 URL 中的恶意代码并执行</li> <li>恶意代码窃取用户数据并发送到攻击者的网站，或者冒充用户的行为，调用目标网站接口执行攻击者指定的操作</li></ol> <p>DOM 型 XSS 跟前两种 XSS 的区别：DOM 型 XSS 攻击中，取出和执行恶意代码由浏览器端完成，属于前端 JavaScript 自身的安全漏洞，而其他两种 XSS 都属于服务端的安全漏洞</p> <h3 id="xss的预防"><a href="#xss的预防" class="header-anchor">#</a> XSS的预防</h3> <p>通过前面介绍，看到<code>XSS</code>攻击的两大要素：</p> <ul><li>攻击者提交而恶意代码</li> <li>浏览器执行恶意代码</li></ul> <p>针对第一个要素，我们在用户输入的过程中，过滤掉用户输入的恶劣代码，然后提交给后端，但是如果攻击者绕开前端请求，直接构造请求就不能预防了</p> <p>而如果在后端写入数据库前，对输入进行过滤，然后把内容给前端，但是这个内容在不同地方就会有不同显示</p> <p>例如：</p> <p>一个正常的用户输入了 <code>5 &lt; 7</code> 这个内容，在写入数据库前，被转义，变成了 <code>5 &lt; 7</code></p> <p>在客户端中，一旦经过了 <code>escapeHTML()</code>，客户端显示的内容就变成了乱码( <code>5 &lt; 7</code> )</p> <p>在前端中，不同的位置所需的编码也不同。</p> <ul><li>当 <code>5 &lt; 7</code> 作为 HTML 拼接页面时，可以正常显示：</li></ul> <div class="language-html extra-class"><pre class="language-html"><code><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>div</span> <span class="token attr-name">title</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">&quot;</span>comment<span class="token punctuation">&quot;</span></span><span class="token punctuation">&gt;</span></span>5 <span class="token entity named-entity" title="&lt;">&amp;lt;</span> 7<span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>div</span><span class="token punctuation">&gt;</span></span>
</code></pre></div><ul><li>当 <code>5 &lt; 7</code> 通过 Ajax 返回，然后赋值给 JavaScript 的变量时，前端得到的字符串就是转义后的字符。这个内容不能直接用于 Vue 等模板的展示，也不能直接用于内容长度计算。不能用于标题、alert 等</li></ul> <p>可以看到，过滤并非可靠的，下面就要通过防止浏览器执行恶意代码：</p> <p>在使用 <code>.innerHTML</code>、<code>.outerHTML</code>、<code>document.write()</code> 时要特别小心，不要把不可信的数据作为 HTML 插到页面上，而应尽量使用 <code>.textContent</code>、<code>.setAttribute()</code> 等</p> <p>如果用 <code>Vue/React</code> 技术栈，并且不使用 <code>v-html</code>/<code>dangerouslySetInnerHTML</code> 功能，就在前端 <code>render</code> 阶段避免 <code>innerHTML</code>、<code>outerHTML</code> 的 XSS 隐患</p> <p>DOM 中的内联事件监听器，如 <code>location</code>、<code>onclick</code>、<code>onerror</code>、<code>onload</code>、<code>onmouseover</code> 等，<code>&lt;a&gt;</code> 标签的 <code>href</code> 属性，JavaScript 的 <code>eval()</code>、<code>setTimeout()</code>、<code>setInterval()</code> 等，都能把字符串作为代码运行。如果不可信的数据拼接到字符串中传递给这些 API，很容易产生安全隐患，请务必避免</p> <div class="language-js extra-class"><pre class="language-js"><code><span class="token operator">&lt;</span><span class="token operator">!</span><span class="token operator">--</span> 链接内包含恶意代码 <span class="token operator">--</span><span class="token operator">&gt;</span>
<span class="token operator">&lt;</span> a href<span class="token operator">=</span><span class="token string">&quot; &quot;</span><span class="token operator">&gt;</span><span class="token number">1</span><span class="token operator">&lt;</span><span class="token operator">/</span> a<span class="token operator">&gt;</span>

<span class="token operator">&lt;</span>script<span class="token operator">&gt;</span>
<span class="token comment">// setTimeout()/setInterval() 中调用恶意代码</span>
<span class="token function">setTimeout</span><span class="token punctuation">(</span><span class="token string">&quot;UNTRUSTED&quot;</span><span class="token punctuation">)</span>
<span class="token function">setInterval</span><span class="token punctuation">(</span><span class="token string">&quot;UNTRUSTED&quot;</span><span class="token punctuation">)</span>

<span class="token comment">// location 调用恶意代码</span>
location<span class="token punctuation">.</span>href <span class="token operator">=</span> <span class="token string">'UNTRUSTED'</span>

<span class="token comment">// eval() 中调用恶意代码</span>
<span class="token function">eval</span><span class="token punctuation">(</span><span class="token string">&quot;UNTRUSTED&quot;</span><span class="token punctuation">)</span>
</code></pre></div><h2 id="三、csrf"><a href="#三、csrf" class="header-anchor">#</a> 三、CSRF</h2> <p>CSRF（Cross-site request forgery）跨站请求伪造：攻击者诱导受害者进入第三方网站，在第三方网站中，向被攻击网站发送跨站请求</p> <p>利用受害者在被攻击网站已经获取的注册凭证，绕过后台的用户验证，达到冒充用户对被攻击的网站执行某项操作的目</p> <p>一个典型的CSRF攻击有着如下的流程：</p> <ul><li>受害者登录a.com，并保留了登录凭证（Cookie）</li> <li>攻击者引诱受害者访问了b.com</li> <li>b.com 向 a.com 发送了一个请求：a.com/act=xx。浏览器会默认携带a.com的Cookie</li> <li>a.com接收到请求后，对请求进行验证，并确认是受害者的凭证，误以为是受害者自己发送的请求</li> <li>a.com以受害者的名义执行了act=xx</li> <li>攻击完成，攻击者在受害者不知情的情况下，冒充受害者，让a.com执行了自己定义的操作</li></ul> <p><code>csrf</code>可以通过<code>get</code>请求，即通过访问<code>img</code>的页面后，浏览器自动访问目标地址，发送请求</p> <p>同样，也可以设置一个自动提交的表单发送<code>post</code>请求，如下：</p> <div class="language-js extra-class"><pre class="language-js"><code><span class="token operator">&lt;</span>form action<span class="token operator">=</span><span class="token string">&quot;http://bank.example/withdraw&quot;</span> method<span class="token operator">=</span><span class="token constant">POST</span><span class="token operator">&gt;</span>
    <span class="token operator">&lt;</span>input type<span class="token operator">=</span><span class="token string">&quot;hidden&quot;</span> name<span class="token operator">=</span><span class="token string">&quot;account&quot;</span> value<span class="token operator">=</span><span class="token string">&quot;xiaoming&quot;</span> <span class="token operator">/</span><span class="token operator">&gt;</span>
    <span class="token operator">&lt;</span>input type<span class="token operator">=</span><span class="token string">&quot;hidden&quot;</span> name<span class="token operator">=</span><span class="token string">&quot;amount&quot;</span> value<span class="token operator">=</span><span class="token string">&quot;10000&quot;</span> <span class="token operator">/</span><span class="token operator">&gt;</span>
    <span class="token operator">&lt;</span>input type<span class="token operator">=</span><span class="token string">&quot;hidden&quot;</span> name<span class="token operator">=</span><span class="token string">&quot;for&quot;</span> value<span class="token operator">=</span><span class="token string">&quot;hacker&quot;</span> <span class="token operator">/</span><span class="token operator">&gt;</span>
<span class="token operator">&lt;</span><span class="token operator">/</span>form<span class="token operator">&gt;</span>
<span class="token operator">&lt;</span>script<span class="token operator">&gt;</span> document<span class="token punctuation">.</span>forms<span class="token punctuation">[</span><span class="token number">0</span><span class="token punctuation">]</span><span class="token punctuation">.</span><span class="token function">submit</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token operator">&lt;</span><span class="token operator">/</span>script<span class="token operator">&gt;</span> 
</code></pre></div><p>访问该页面后，表单会自动提交，相当于模拟用户完成了一次<code>POST</code>操作</p> <p>还有一种为使用<code>a</code>标签的，需要用户点击链接才会触发</p> <p>访问该页面后，表单会自动提交，相当于模拟用户完成了一次POST操作</p> <div class="language-html extra-class"><pre class="language-html"><code>&lt; a href=&quot;http://test.com/csrf/withdraw.php?amount=1000&amp;for=hacker&quot; taget=&quot;_blank&quot;&gt;
    重磅消息！！
<span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>a</span><span class="token punctuation">/&gt;</span></span>
</code></pre></div><h3 id="csrf的特点"><a href="#csrf的特点" class="header-anchor">#</a> CSRF的特点</h3> <ul><li>攻击一般发起在第三方网站，而不是被攻击的网站。被攻击的网站无法防止攻击发生</li> <li>攻击利用受害者在被攻击网站的登录凭证，冒充受害者提交操作；而不是直接窃取数据</li> <li>整个过程攻击者并不能获取到受害者的登录凭证，仅仅是“冒用”</li> <li>跨站请求可以用各种方式：图片URL、超链接、CORS、Form提交等等。部分请求方式可以直接嵌入在第三方论坛、文章中，难以进行追踪</li></ul> <h3 id="csrf的预防"><a href="#csrf的预防" class="header-anchor">#</a> CSRF的预防</h3> <p>CSRF通常从第三方网站发起，被攻击的网站无法防止攻击发生，只能通过增强自己网站针对CSRF的防护能力来提升安全性</p> <p>防止<code>csrf</code>常用方案如下：</p> <ul><li>阻止不明外域的访问
<ul><li>同源检测</li> <li>Samesite Cookie</li></ul></li> <li>提交时要求附加本域才能获取的信息
<ul><li>CSRF Token</li> <li>双重Cookie验证</li></ul></li></ul> <p>这里主要讲讲<code>token</code>这种形式，流程如下：</p> <ul><li>用户打开页面的时候，服务器需要给这个用户生成一个Token</li> <li>对于GET请求，Token将附在请求地址之后。对于 POST 请求来说，要在 form 的最后加上</li></ul> <div class="language-html extra-class"><pre class="language-html"><code><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>input</span> <span class="token attr-name">type</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span>”hidden”</span> <span class="token attr-name">name</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span>”csrftoken”</span> <span class="token attr-name">value</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span>”tokenvalue”/</span><span class="token punctuation">&gt;</span></span>
</code></pre></div><ul><li>当用户从客户端得到了Token，再次提交给服务器的时候，服务器需要判断Token的有效性</li></ul> <h2 id="四、sql注入"><a href="#四、sql注入" class="header-anchor">#</a> 四、SQL注入</h2> <p>Sql 注入攻击，是通过将恶意的 <code>Sql</code>查询或添加语句插入到应用的输入参数中，再在后台 <code>Sql</code>服务器上解析执行进行的攻击</p> <p><img src="https://static.vue-js.com/ead52fa0-8d1d-11eb-85f6-6fac77c0c9b3.png" alt=""></p> <p>流程如下所示：</p> <ul><li><p>找出SQL漏洞的注入点</p></li> <li><p>判断数据库的类型以及版本</p></li> <li><p>猜解用户名和密码</p></li> <li><p>利用工具查找Web后台管理入口</p></li> <li><p>入侵和破坏</p></li></ul> <p>预防方式如下：</p> <ul><li>严格检查输入变量的类型和格式</li> <li>过滤和转义特殊字符</li> <li>对访问数据库的Web应用程序采用Web应用防火墙</li></ul> <p>上述只是列举了常见的<code>web</code>攻击方式，实际开发过程中还会遇到很多安全问题，对于这些问题， 切记不可忽视</p> <h2 id="参考文献"><a href="#参考文献" class="header-anchor">#</a> 参考文献</h2> <ul><li><a href="https://tech.meituan.com/2018/09/27/fe-security.html" target="_blank" rel="noopener noreferrer">https://tech.meituan.com/2018/09/27/fe-security.html<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></li> <li><a href="https://developer.mozilla.org/zh-CN/docs/learn/Server-side/First_steps/Website_security" target="_blank" rel="noopener noreferrer">https://developer.mozilla.org/zh-CN/docs/learn/Server-side/First_steps/Website_security<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></li></ul></div> <footer class="page-edit"><!----> <div class="last-updated"><span class="prefix">更新时间:</span> <span class="time">12/1/2021, 9:27:10 PM</span></div></footer> <div class="page-nav"><p class="inner"><span class="prev">
      ←
      <a href="/base/http/1.0_1.1_2.0.html" class="prev">
        面试官：说说 HTTP1.0/1.1/2.0 的区别?
      </a></span> <span class="next"><a href="/base/http/HTTPS.html">
        面试官：为什么说HTTPS比HTTP安全? HTTPS是如何保证安全的？
      </a>
      →
    </span></p></div> </main></div><div class="global-ui"><!----></div></div>
    <script src="/assets/js/app.bf44e39b.js" defer></script><script src="/assets/js/2.db7a59af.js" defer></script><script src="/assets/js/39.f71e5e3d.js" defer></script>
  </body>
</html>
